Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Network-reachable SQLi needing a Subscriber account (PR:L) and no interaction; high confidentiality data read with scope change, no integrity impact and only limited availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber SQL Injection in Unicamp <= 2.2.2 versions.
AnalysisAI
SQL injection in the Unicamp WordPress theme (versions 2.2.2 and earlier) by ThemeMove allows an attacker holding a low-privilege Subscriber account to inject arbitrary SQL into backend database queries. Because the CVSS scope is marked changed with high confidentiality impact, a successful attacker can read data beyond their normal authorization boundary, including other users' records and potentially credentials stored in the WordPress database. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Technical ContextAI
The affected component is the Unicamp commercial education/LMS theme for WordPress distributed by vendor ThemeMove (CPE cpe:2.3:a:thememove:unicamp:*). The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input reaching a Subscriber-accessible endpoint is concatenated into a SQL statement without proper parameterization or sanitization. In WordPress themes this class of bug typically arises when AJAX handlers or theme-specific query functions pass request parameters directly into $wpdb queries rather than using prepared statements, allowing an authenticated user to alter query logic.
RemediationAI
Upgrade the Unicamp theme to a fixed release above 2.2.2 as published by ThemeMove; the input data does not specify an exact patched version, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/unicamp/vulnerability/wordpress-unicamp-theme-2-2-2-sql-injection-vulnerability) and the ThemeMove changelog for the corrected build before deploying. Until a confirmed fixed version is applied, reduce exposure by disabling open user self-registration (Settings > General > 'Anyone can register') to remove the Subscriber-account prerequisite, at the cost of blocking legitimate new sign-ups; restrict or virtually patch the vulnerable theme AJAX/query endpoint using a WordPress WAF or Patchstack's virtual patching, which may interfere with theme functionality if rules are overly broad; and audit existing Subscriber accounts for suspicious registrations. Because a released patched version is not independently confirmed here, verify the fix version with the vendor rather than assuming any specific number.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210400
GHSA-gq2f-q58f-r6j8